Respond with helpful and spec complient error on invalid user credentials

[marc-mabe]

See #967 #1175 #1093

This PR tries to solve the non helpful error message if a user types in wrong credentials in a a much smaller scope then done in #1093 and hopefully can be merged and released much faster.

In #967 the error type should be invalid_grant (instead of invalid_credentials) and the HTTP status code should be 400 instead of 401 but this also had changed the error message from The user credentials were incorrect. into The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. which is not user friendly at all.

Instead of calling invalidGrant() (as done in #967) this PR calls invalidCredentials() but modifies the logic of invalidCredentials() to return invalid_grant with 400.

Interestingly invalidCredentials() wasn't used anymore since #967.

TODOs

• [x] Update tests

[Sephster]

Hi @marc-mabe - seems like a good suggestion. Happy to approve this once the tests are fixed. Thank you

[marc-mabe]

@Sephster done

[Sephster]

LGTM. Thanks @marc-mabe